add cooldown period when resolving version numbers during bootstrapping #877
Description
The resolver automatically pulls in the latest version of each package that matches the rule being resolved. This means that as soon as a new version of a package is released, the next bootstrap operation will pull that version into the build. We want to introduce a "cooldown" period so that newly uploaded versions are only included in builds after they have been public for some number of days. This will give us a window to identify potentially malicious content in packages that have had their release pipelines subverted.
Requirements
All bootstrap commands should accept an option to specify the minimum age of a release before it should be included in a build. The default for the minimum age should be 0, indicating that packages can be included immediately. Only whole numbers of days are supported. Negative numbers are equivalent to 0.
All resolvers should honor the minimum age value. For resolvers that look at tags in git repositories, the date should come from the timestamp of the tag, if it is an annotated tag, or from the commit timestamp of the commit that was tagged otherwise. Resolvers that look at packages uploaded to servers (PyPI, etc.) should use the timestamp from when the package was uploaded.
The age of a package should be calculated by subtracting the timestamp of the release from the start time of the bootstrap process (not the current time when the resolution is happening). This ensures that resolving the same package multiple times during a build will produce the same results.
The per-package settings should provide an override to change the default age requirement. This is useful for packages that are maintained internally and known to be safe, to avoid having a delay (by setting the value to 0) or for riskier packages (by setting the value to a default that is larger than the command line option). The configured value should take priority over the value provided by the command line. This allows for different jobs (one to test builds and another to run the production builds) to easily pass different ages on the command line, but for the overrides to still take effect in both cases.
The list-versions command should also take a flag to specify the minimum age. The default should be 0. The detailed output should show the timestamp and age in whole days of each release. The list-versions command should also take an option to ignore the configured overrides for minimum age for separate packages. The default should be to honor the configuration settings, so that the command produces the same information that a bootstrap command would use, but by having an option to ignore the configuration settings we can use list-versions to show versions that have been ignored during bootstrapping.
The list-overrides command should be extended to show any configured minimum age value for packages with overrides.